When Your CMMC Enclave Provider Closes Its Doors: Why Ownership Matters More Than Ever

The defense industrial base (DIB) was recently rocked by news that a well-known CMMC enclave provider abruptly shut its doors, leaving customers scrambling for answers, uncertain about the security of their Controlled Unclassified Information (CUI), and suddenly facing an interrupted path to CMMC certification. No warning. No transition plan. Just a door closed and a compliance program thrown into crisis.

For the organizations caught in that wake, the questions came fast:

Who holds my data? Can I still access it? Where does my CMMC journey go from here?

This moment exposes one of the most under-discussed debates in CMMC compliance:

Are you renting your compliance, or do you actually own it?

The "Own vs. Rent" Problem in CMMC

The CMMC compliance market has grown rapidly, and with it, a wide spectrum of vendors promising to make the path to certification easier. At the extremes of that spectrum sit two very distinct models.

The Renting Model

On one end, you have the "renting" model — the managed enclave approach where a vendor stands up your entire compliance environment on their infrastructure, holds your encryption keys, controls your tenant, and manages your logs. Many lower-cost providers operate on a pay-to-play service model. The initial cost is lower, but the long-term costs can be much higher. This means your provider holds the keys to the tenant, the policies, and the logs — and you are renting your enclave. It sounds convenient, until your provider disappears. Then you realize you never owned anything at all.

This model is beneficial to a provider as it keeps a business locked in to their service. Switching providers at any point will require a business to purchase a new enclave and, in many cases, undergo another CMMC Level 2 assessment. You’re completely dependent on the compliance service that’s supposed to help you stand on your own.

The Owning Model

On the other end, you have the "owning" model — building everything in-house. Full control. Full responsibility. Building an enclave internally requires dedicated IT and security expertise, plus significant ongoing maintenance. Most SMBs underestimate the cost of this, which can hit over $100k on compliance staffing alone. For most small and mid-sized defense contractors, this path is simply not realistic.

So where does that leave you?

The False Choice, and the Real Answer

The good news is that owning vs. renting is a false binary, and the story of CMMC compliance doesn't have to end at either extreme. There is a smarter middle ground, one where you benefit from proven technology without surrendering control of your most sensitive data.

That's precisely where Virtru lives.

So Your Enclave Provider Closed. What Now?

If your CMMC enclave provider has shut down, you are dealing with a compliance emergency on someone else's timeline. Here is what to do, in order.

Get a copy of your data immediately. Before anything else, attempt to retrieve or export all CUI stored in your provider's environment. Contact their legal counsel or any court-appointed trustee about your data retrieval rights. Do not assume the data will remain accessible as the business winds down.

Find out who holds your encryption keys. And, what happens in the case that your new vendor shuts down. If your provider held your keys (common in managed enclave models) you need to understand the status of that key material today. Keys that are inaccessible or unaccounted for are a compliance and operational problem, not just a vendor problem. Document everything you know about your key custody and escalate if there are gaps. And when surveying a new vendor, find out if you have the option to self-host or manage your own keys.

Inventory your CUI. If you don't have a current, complete list of what CUI was stored, transmitted, or processed in your provider's environment, build one now from contracts, email records, shared files, and system logs. Your assessor will need this. Your contracting officer may need it sooner.

Document the disruption to your compliance timeline. If you were mid-assessment, preparing for an assessment, or operating under an active CMMC requirement, document the specific gap created by the closure. CMMC assessors and DoD stakeholders are aware of the situation. A clear, factual record of your compliance posture before the disruption and the actions you took after it is your best protection.

Don't let urgency push you into another bad deal. The pressure to find a replacement quickly is real, and vendors know it. A rushed decision that puts you back into another managed enclave with the same lock-in structure recreates the same risk. Take time (even a few days) to ask the ownership questions before signing anything: Who controls the keys? What happens to my data if the vendor closes? Can I take my compliance artifacts with me?

Virtru: The Middle Ground Built on Genuine Data Ownership

Virtru's approach to CMMC is fundamentally different from a traditional enclave model. We are not a full-stack enclave provider. We don't claim to solve every control or manage your entire compliance environment. Virtru supports 27 of the 110 CMMC Level 2 controls, as outlined in our Shared Responsibility Matrix. While Virtru will be just one component of your overall CMMC strategy, it can address a significant portion of requirements that demonstrate proper protection and access control for CUI.

We say this not as a caveat. We say it as a point of pride, because honesty about scope is the foundation of a defensible compliance program. Virtru has chosen a conservative approach, identifying a maximum of 27 controls where our technology directly contributes to compliance objectives. This transparency helps organizations clearly understand where our solution provides genuine value and what responsibilities remain theirs to address through other means.

A word of caution: If your vendor is claiming 90+ of the 110 controls, ask them to show their work … because your CMMC assessment will. Do not necessarily fall for the vendor who claims the highest number of controls on their marketing collateral. A vendor that is honest about the 27 controls they actually solve is a partner. A vendor that claims to solve 102 controls by taking credit for Amazon's security guards is a liability to your business.

You Hold the Keys. Literally.

One of the most important overlooked questions in evaluating any CMMC compliance solution is deceptively simple.

Who controls the encryption keys that protect your CUI?

In most traditional enclave or managed service models, the answer is: your vendor.

The encryption keys that protect your most sensitive data live in infrastructure owned and operated by a third party. If that vendor shuts down, gets acquired, or simply decides to change their terms — your access, your data, and your compliance posture are all at risk.

It's worth understanding that most encryption architectures (including Virtru's) involve more than one key. Understanding how those keys are managed, who holds them, and where they live is important to evaluating whether you truly have control over your data.

With Virtru, you have a choice that most vendors don't offer.

By default, Virtru manages key services on your behalf in a FedRAMP-authorized environment, making deployment fast and operationally straightforward. But for organizations that require a higher degree of control, Virtru offers the Virtru Private Keystore, giving you the option to host your own encryption keys in the location of your choice: on-premises, or in a public or private cloud of your choosing.

This means that even if something changes at the vendor level, your keys and your data remain under your control. That's a meaningful distinction in a world where compliance programs have been upended by a vendor's unexpected exit.

Defense-in-Depth, Not a Silver Bullet

We believe in honesty. No single vendor can get you to 100% CMMC compliance. Compliance requires a comprehensive security program with multiple technology layers working together, and no single vendor addresses all practices.

Virtru specifically focuses on data protection controls and integrates with your broader security architecture, including your:

• Threat detection platforms
• SIEM solutions
• Endpoint protection tools
• Network security infrastructure

We're designed to be one strong layer in your defense-in-depth strategy, not a standalone solution. That's the healthy, sustainable model. Virtru is your data-centric security partner in an ecosystem of trusted tools — not a vendor you're locked into, not a landlord who can evict you from your own compliance program.

What Virtru Does for CMMC At a Glance

Here's how Virtru directly supports your CMMC Level 2 certification journey:

Recommended Reading: 

Built to Work With What You Already Have

One of the most disruptive aspects of traditional enclave solutions is the migration burden they impose. Many providers require you to abandon your existing cloud environment and re-platform entirely; a costly, time-consuming, and operationally disruptive process.

Virtru was designed differently.

Microsoft GCC isn't required for CMMC compliance. With Virtru, you can manage CUI securely in a FedRAMP-authorized environment, even if you use Microsoft Commercial Cloud or Google Workspace for sharing CUI through email. Here’s what that looks like in practice:

• Virtru for Microsoft 365 — encrypts CUI in Outlook email and Microsoft 365 files without requiring GCC High or a tenant migration
• Virtru for Google Workspace — protects CUI in Gmail and Google Drive with the same persistent, attribute-based encryption
• Virtru Secure Share — if your enclave going dark means you've lost a secure channel for sending and receiving CUI with primes, subcontractors, and agencies, Secure Share restores that capability immediately, with no recipient install required
• Virtru Private Keystore — deploy and manage your own encryption keys in your own infrastructure, on-premises or in a cloud of your choice, so your compliance posture is never again contingent on a vendor's business decisions

Don't Let a Vendor Hold Your Compliance Hostage

The news of an enclave provider shutting down is a sobering reminder that your compliance posture is only as stable as the foundation it's built on. If that foundation is owned by someone else, you are one business decision (theirs, not yours) away from starting over.

Virtru gives you the middle ground the DIB deserves:

• Enterprise-grade, FedRAMP-authorized data protection
• Support for 27 critical CMMC Level 2 controls
• Seamless integration into your existing environment
• You remain in control of your data and your keys

Your compliance journey shouldn't be derailed by someone else's business problems.

We're here to help, and for DIB contractors affected by the NeoSystems shutdown we’re offering a month free. Schedule a conversation with our team today and let's talk about where Virtru fits in your path to CMMC Level 2.

Virtru is a FedRAMP Authorized data security platform trusted by hundreds of organizations in the Defense Industrial Base. Learn more at virtru.com/cmmc.